[ 
https://issues.apache.org/jira/browse/METRON-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16358592#comment-16358592
 ] 

ASF GitHub Bot commented on METRON-941:
---------------------------------------

Github user ctramnitz commented on the issue:

    https://github.com/apache/metron/pull/579
  
    I think 
https://github.com/apache/metron/pull/579/commits/ccd99dda3c8a72408ae13eeaca078af1e345a36c#diff-e0385f97ebea64bab3a83bceef70bb4aR67
    expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "<11>Jan  5 
05:38:59 PAN1.exampleCustomer.com 1");
    should be
    expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "1");
    
    The rest is the syslog header, not the PA domain.
    
    I'd suggest to strip the syslog header off the test data and assume it will 
also be stripped off on ingestion until we have a syslog-preparsing capability 
(i.e. https://issues.apache.org/jira/browse/METRON-1453).
    
    I'm already doing this using rsyslog:
    ```
    module(load="imudp")
    module(load="omkafka")
    
    template(name="msgonly" type="string"
             string="%msg:::drop-last-lf%"
            )
    
    ruleset(name="udp514"){
      if (<some-condition>) then {
        action(
          broker=["<kafka_host>:6667"]
          confparam=["client.id=rsyslog", "compression.codec=snappy", 
"socket.keepalive.enable=true"]
          type="omkafka"
          topic="paloalto"
          template="msgonly"
          errorfile="/var/log/rsyslog_kafka_failures.log"
        )
      }  
    }
    input(type="imudp" port="514" ruleset="udp514")
    ```


> native PaloAlto parser corrupts message when having a comma in the payload
> --------------------------------------------------------------------------
>
>                 Key: METRON-941
>                 URL: https://issues.apache.org/jira/browse/METRON-941
>             Project: Metron
>          Issue Type: Bug
>    Affects Versions: 0.4.0
>         Environment: full-dev master
>            Reporter: Christian Tramnitz
>            Priority: Minor
>
> When a data field contains a comma (i.e. the URL, not too uncommon), the 
> split(",") kicks in and the rest of the message if off by few fields due to 
> positional definition.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to